Analytics Story: CVE-2023-21716 Word RTF Heap Corruption

Description

A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution utilizing a heap corruption in rich text files.

Why it matters

This analytic story covers content that will assist organizations in identifying potential RTF RCE abuse on endpoints. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office''s "wwlib.dll" and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. A remote attacker could potentially take advantage of the issue to execute code with the same privileges as the victim that opens a malicious .RTF document. Delivering the malicious file to a victim can be as easy as an attachment to an email, although plenty of other methods exist. Microsoft warns that users don''t have to open a malicious RTF document and simply loading the file in the Preview Pane is enough for the compromise to start. (BleepingComputer, 2023)

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1